Link to home
Start Free TrialLog in
Avatar of IT CAMPER
IT CAMPERFlag for United States of America

asked on

Issue applying domain group policy (GPO) to a user group

Windows domain GPO not applying to custom user group but working fine when applied to Authenticated users. I made sure under Delegation that the custom user group was configured for both "Read" and "Apply group policy". I tested the GPO with only the custom user group (the GPO setting is user based) and when I forced an update and then checked gpresult, it never showed the GPO applied. Also, the login user I was testing with was added to the custom user group. However, as soon as I added Authenticated Users group to the GPO security filtering, the GPO applied on the next Gpupdate and the GPO setting applied as expected. So I am trying to determine why the GPO is not applying when using a custom user group. It's a security group and the group scope if global - this is a small single domain controller network. Very basic. Thanks for the help!

Avatar of arnold
Flag of United States of America image

Where is the GPO deployed and to whom (security filter) does it apply?
Where is this custom group? is it in an OU that blocks inheritance?

Use GPMC to run the GPO against the computer/user and it should tell you why it is not applying.

It is impossible to know without access.
are you changing the security filter from authenticated users to this security group?

Please confirm it is a security group and not a distribution one.......

Location of the GPO when it applies and the computer/users/security group to whom you wish this GPO to apply
Avatar of IT CAMPER


thanks for the response! I'll evaluate the GPO tonight and get back to you. I'm fairly certain it's something simple.

Please try applying to a local group instead.


Figured it out. Well Microsoft pointed out the issue to me. I went to remove Authenticated Users from the security filter and received a popup that GP requires each computer account to have permission to read GPO data in order to process user group settings. I did not remember that being the case in earlier versions of Server but maybe so as it's been a bit since I setup new GPOs. So I had to simply add Authenticated Users with read only permissions and then setup the custom security group I had created to apply the policy. It's now working perfectly. Thank you both for the feedback!
Avatar of IT CAMPER
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial